From the theft of intellectual property, personal emails and social security numbers at Sony
Pictures to the discovery of “Black Energy” malware on critical U.S. infrastructure computers, one
thing is clear: The computer hacking stakes are getting higher. What’s going on, and what can you
do to fortify your systems? Inquire within.
While visions of sugarplums were dancing
through our heads this past holiday season,
legions of hackers continued their relentless
pursuit of chaos to conjure their own version
of Black Friday. A recent cyber attack against
Sony Pictures Entertainment exemplifies this
growing challenge to companies large and
small – the need to not only back up your
computer systems securely, but also defend
against data destruction.
Cyber-crimes typically take one of three
forms: 1) gangs stealing information they can
pawn for money, 2) hacktivists disabling computers
or shaming companies in retaliation for
their “sins”, or 3) nation states engaging in
corporate espionage. But the Sony Pictures
case has taken corporate cyber attacks to a new
level of sophistication. And devastation.
Sony Gets Slammed
Sony was hit by hacker’s right before
Thanksgiving, resulting in a company-wide
computer shutdown, the leaking of unreleased
films to file sharing sites, and the public posting
of caches of confidential documents – documents
containing everything from Sony
employees’ healthcare files, passwords, and
social security numbers (including Sylvester
Stallone’s) to executive salaries and more.
The attack didn’t end with the pirating of
new films and sensitive employee data, either.
Large portions of Sony’s computer data were
also systematically destroyed, prompting the
FBI to issue a flash warning to security
administrators at American corporations
about recently discovered malware that commands
a computer to sleep for two hours,
reboots it, and then directs it to start purging
all of its files. The hackers also defaced Sony’s
websites with images of red skeletons, filled
the company’s Twitter feeds with rants, and
sent emails to Sony employees that threaten
their family members.
Speculation about this breach has centered on
North Korea in response to Sony’s planned
release of a movie about a farcical assassination
attempt on Kim Jong Un. But the fact that
Windows screensavers across the computer
network were replaced with images of a red
skeleton suggest the attack had some help
inside the network – perhaps by a Sony
employee or a contractor at Deloitte, which
was also hacked by the same group around the
same time.
Covering Your Assets
Protecting your computer systems from hack
attacks requires as much vigilance on your
end as cyber scumbag’s display on their end.
Not doing so can be catastrophic: Nearly two
weeks after the assault on Sony, its internal
systems were still disabled, with employees
reportedly using manual punch cards to document
work time.
Here are a few things to consider in assessing
your own cyber security:
1) Adopt comprehensive backup and disaster
recovery plans. Don’t think your security
and backup systems are good enough?
Congrats, you’ve past the first test in cyber
security: Good enough never is. Even themost “bulletproof” offsite data storage facilities
are susceptible to theft. And that might
be the least of your headaches.
What if your systems are wiped out like
Sony’s? Do you have a detailed step-by-step plan
for getting back in business? How quickly?
What if the local power grid gets hacked and
goes down? Do you have a plan for staying in
business when the lights are off? Unfortunately,
that’s a very real possibility. Think about every
scenario and every entry point into your system.
Defend them like crazy.
2) Review your cyber security frequently.
State-of-the-science security measures become
outdated quickly. The widespread use of
CAPTCHAs – those swirly mashed-up letters
you must type to prove you’re not a bot – isn’t
only a pain; it’s also increasingly useless.
Google claims that 99 percent of the
CAPTCHAs in use can now be cracked by
hacker algorithms. Chances are good that
your company is using CAPTCHA as a security
layer somewhere.
Fortunately, Google now offers a tool that
replaces CAPTCHA with a simple box the
user must check in response to a “I am not a
robot” prompt. This new process is powered
by sophisticated AI software that determines
your “humanness” by looking at what you do
before, during and after clicking on the box.
3) Trust if you must, but verify. Sure,
you’ve got a firewall fortress protecting your
computer systems from black hat outsiders.
But sometimes, the good guys inside your
company are a bigger threat. Even if they
aren’t malicious, employees sometimes
expose your network to malware unwittingly
through things like virus-laden “Trojan
resumes” submitted to HR. The bigger
your company is, the more you’re going to
have a lot of talented people hammering
away at your systems, trying to break them.
Pay particular attention to vendors who
have access to your IT systems from outside
the company. Going back to our Sony example,
it is believed (at press time) that a
Deloitte employee working for Sony might
have unknowingly infected their computers.
That would be the same Deloitte who’s been
touting its digital threat intelligence services
and advising companies aboutBottom line: There’s no such thing as being
too careful when setting up password/security
systems and training employees on the
responsible use of social media (and its security
vulnerabilities).
4) Mobile is not your friend. Where’s that
thumb drive been? Had the Iranians asked
that question – and scanned thumb drives for
viruses before plugging them into their computers
– their nuclear weapon…er, um,
nuclear energy…program wouldn’t have suffered
a dramatic setback after the Stuxnet
virus destroyed a fifth of their centrifuges.
Laptops, thumb drives, mobile phones, email
attachments…scan everything before allowing
any file transfers onto your network.
5) Take your security personally. If there’s
one take-away from the post-Sony, post-
Target, post-White House, post-everyone else
security breaches, it’s this: You have a responsibility
to protect yourself, your company,
your computers and your networks…because
nobody’s going to do it for you. And even if
they do, there’s no guarantee you’re totally
protected, right Deloitte?
There are some simple things you can do to
increase your safety. Use good password
hygiene – don’t use the same password everywhere,
and don’t use a password anyone can
hack by reading your Facebook bio. Change
your passwords frequently (each time you
adjust your clocks for Daylight Savings Time
isn’t a bad method). Use a separate credit card
for all of your online purchases, and monitor
your bank statements carefully.
Oh, and don’t keep a folder on your computer
system labeled “Passwords.” Allegedly, Sony
Pictures had such a folder, which probably contributed
to their victimization. Be smart and
maintain a healthy dose of paranoia regarding
cyber security. Chances are, you and your company
are at greater risk than you imagine.
If that thought scares you, I’m sorry…but
you’ll thank me later. If that thought doesn’t
scare you…well, there’s a reason why the
School of Hard Knocks has such a large class
of graduates.
Op/ed column submitted by Ann Nygren,
President of Key Consulting Software. KCS
is an IT consulting company focused on
gaming and hospitality applications
ranging from Agilysys (LMS/Stratton
Warren/Infogenesis), Infinium (AM, AR,
FA, GL, GT, HR, IR, PA, PL, PY, TR),
Bally (CMS, CMP, ACSC & SDS), and
interfaces with Aristocrat, IGT and
Micros to transitioning properties during
purchase, sales, or merging of properties.
KCS provides IT Departments with assistance
in installation & upgrades, customization,
interfacing and creation of unique
client-specific software.